test(security): DL-3 review nits — assert OnValidatePrincipal on prod path + warning/doc polish

2026-06-16 08:52:28 -04:00
parent e89604298d
commit 75919cec31
3 changed files with 36 additions and 2 deletions
@@ -8,7 +8,15 @@ namespace ZB.MOM.WW.ScadaBridge.Security.Auth;
 /// </summary>
 public sealed class AuthDisableLoginOptions
 {
-    /// <summary>Configuration section name (<c>ScadaBridge:Security:Auth</c>).</summary>
+    /// <summary>
+    /// Configuration section name (<c>ScadaBridge:Security:Auth</c>).
+    /// This is a CHILD sub-section of <c>ScadaBridge:Security</c> (where
+    /// <see cref="SecurityOptions"/> binds the parent fields) — not a sibling.
+    /// In appsettings.json nest it under the existing <c>Security</c> object:
+    /// <code>
+    /// "ScadaBridge": { "Security": { "Auth": { "DisableLogin": true } } }
+    /// </code>
+    /// </summary>
    public const string SectionName = "ScadaBridge:Security:Auth";

    /// <summary>When true, disable login and auto-authenticate every request. Default false.</summary>
@@ -127,7 +127,7 @@ public static class ServiceCollectionExtensions
                        "AUTH DISABLED (ScadaBridge:Security:Auth:DisableLogin=true) — every request is " +
                        "authenticated as '{User}' with FULL permissions ({Roles}) across ALL sites. This " +
                        "is a SCADA control surface; dev/test ONLY — never enable in production.",
-                        opts.User, string.Join(",", Roles.All)));
+                        opts.User, string.Join(", ", Roles.All)));
        }
        else
        {